No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - VPN

AR650, AR1600, and AR6100 V300R003

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
(Optional) Allowing New Users with the Same Traffic Rule as Original Branch Users to Access the Headquarters Network

(Optional) Allowing New Users with the Same Traffic Rule as Original Branch Users to Access the Headquarters Network

Context

After the enterprise branch and its headquarters establish an IPSec tunnel, the IP address of the branch gateway interface to which an IPSec policy group is applied changes due to the link status change. For example, the branch gateway connects to the Internet through dial-up and establishes an IPSec tunnel with the headquarters. The headquarters gateway has an existing IPSec tunnel to protect IPSec packets exchanged between the headquarters gateway and branch gateway (original users). Because data flows of new users are the same, the branch gateway and headquarters gateway cannot reestablish an IPSec tunnel. After the local IP address of the IPSe tunnel on the branch gateway changes, the branch gateway (new users) and headquarters gateway cannot rapidly reestablish an IPSec tunnel to protect IPSec traffic exchanged between them.

You can configure the device to allow new users with the same traffic rule as original branch users to access the headquarters network so that the existing IPSec SAs can be rapidly aged and a new IPSec tunnel can be established.

NOTE:
The prerequisites are as follows:
  • The headquarters gateway functions as the responder and uses an IPSec policy template to establish an IPSec tunnel with the branch gateway.
  • The ACL rules for the new users must be the same as those for original users.
  • The interface used by new users to access the headquarters gateway must be the same as that used by original users.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run ipsec remote traffic-identical accept

    The device is configured to allow new users with the same traffic rule as original branch users to access the headquarters network.

    By default, the device allows branch or other users to quickly access the headquarters network after their IP addresses are changed.

Download
Updated: 2019-04-12

Document ID: EDOC1100041799

Views: 31608

Downloads: 45

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next